| Summary: | Interactive PolicyKit authentication not working | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | davidz, dominick.grift, dwalsh, eparis, jmorris, lpoetter, mgrepl, pbrobinson, sdsmall | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-11-21 16:53:40 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Adam Williamson
2011-11-11 07:47:40 UTC
Seems to be down to selinux: if I boot with enforcing=0, PK auth works.
I have these AVCs during boot when booting with enforcing=0, not sure if they're related, though:
Nov 11 13:46:50 adam kernel: [ 3.922412] type=1400 audit(1321048006.822:3): avc: denied { write } for pid=1 comm="systemd" name="/" dev=tmpfs ino=8408 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Nov 11 13:46:50 adam kernel: [ 3.922416] type=1400 audit(1321048006.822:4): avc: denied { add_name } for pid=1 comm="systemd" name="Sea500" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Nov 11 13:46:50 adam kernel: [ 3.922420] type=1400 audit(1321048006.822:5): avc: denied { create } for pid=1 comm="systemd" name="Sea500" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Nov 11 13:46:50 adam kernel: [ 6.898557] type=1400 audit(1321048009.802:6): avc: denied { execute } for pid=891 comm="sd(EXEC)" name="aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [ 6.898562] type=1400 audit(1321048009.802:7): avc: denied { read open } for pid=891 comm="sd(EXEC)" name="aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [ 6.898619] type=1400 audit(1321048009.802:8): avc: denied { execute_no_trans } for pid=891 comm="sd(EXEC)" path="/usr/libexec/postfix/aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [ 6.899448] type=1400 audit(1321048009.802:9): avc: denied { ioctl } for pid=891 comm="aliasesdb" path="/usr/libexec/postfix/aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [ 6.899457] type=1400 audit(1321048009.802:10): avc: denied { getattr } for pid=891 comm="aliasesdb" path="/usr/libexec/postfix/aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [ 6.902257] type=1400 audit(1321048009.805:11): avc: denied { getattr } for pid=891 comm="aliasesdb" path="/etc/aliases" dev=dm-2 ino=132532 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [ 7.991926] type=1400 audit(1321048010.896:12): avc: denied { read } for pid=992 comm="libvirtd" name="images" dev=sdb1 ino=12 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
Nov 11 13:46:51 adam kernel: [ 8.115620] type=1400 audit(1321048011.021:13): avc: denied { read } for pid=992 comm="libvirtd" name="efiboot.img" dev=sdb1 ino=52 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
Nov 11 13:46:51 adam kernel: [ 8.115634] type=1400 audit(1321048011.021:14): avc: denied { open } for pid=992 comm="libvirtd" name="efiboot.img" dev=sdb1 ino=52 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
Nov 11 13:46:51 adam kernel: [ 8.115649] type=1400 audit(1321048011.021:15): avc: denied { getattr } for pid=992 comm="libvirtd" path="/media/Sea500/images/efiboot.img" dev=sdb1 ino=52 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
--
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
selinux-policy -57 does not fix this. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers file_t is caused by you have a disk without labels. restorecon -R -v /media Should fix those. I will add policy to allow init to run aliases.db file. Not sure what systemd is writing to the /mnt? But none of these are causing the problem. I have a fealing this has something to do with consolekit. # semanager permissive -a consolekit_t And see if this fixes the problem? Yes, that does fix / workaround the issue. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers If its a problem with ConsoleKit I suspect it might be this feature that's causing the issues. Adding lennart as its his feature https://fedoraproject.org/wiki/Features/ckremoval Adam can you run semodule -DB reboot login gather all AVC's that meantion consolekit, and attach them. semodule -B Will turn off dontaudit rules. You probably want to clean your log files. Adam I would do this myself, but I have hosed up my rawhide box, due to the X Server update stuff. I'll try and do that, yeah. Note that after a bit I noticed that the semanage 'workaround' doesn't fix everything - notably, the system gets stuck at the lock screen if you let it time out. So I'm booting with enforcing=0 for now. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Created attachment 534073 [details]
Policy to fix login in Rawhide
While I am not seeing this on my rawhide box, I did see some other problems without this access. (Modifications of the wireless).
Adding this access fixed the wireless, and seems like it would fix your problems.
You can test it by saving this file to a file named mypol.te
Then execute
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp
# setenforce 1
Try to login.
One of the features I am trying to add to F17 is the ability to eliminate all sys_ptrace and ptrace, via boolean. I want to investigate if these processes actually need sys_ptrace or if this is a bug in the kernel.
Dan says the fix will be in selinux-policy -59, so I'll just wait for that. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers well, 'currentrelease' seems optimistic, as there's still no -59 build in koji. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers |